Apple disables Group FaceTime after reports of eavesdropping security flaw

Apple disabled its Group FaceTime feature in iPhones after multiple reports that users could initiate a FaceTime call and begin listening in on a recipient’s audio without them picking up the call or knowing they were being monitored.

The bug occurred after a user initiated a FaceTime video call with another iPhone or device running iOS and added themselves to the call while it was dialing, according to 9to5Mac, which first revealed the major privacy and security issue. This created a conference call that allowed the user to eavesdrop on the audio transmitted by the recipient.

The malfunction was replicated by Bloomberg News, which also claimed that video of a caller could be secretly transmitted if the recipient pressed the power button or the volume controls on their device.

“We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” Apple said in a statement to The Washington Post on Tuesday.

According to the Wall Street Journal, a 14-year-old in Arizona discovered the same security flaw earlier this month while he was using FaceTime to set up a Fortnite gaming session with friends. According to the report, the teenager’s mother, Michele Thompson, reported the bug to Apple, calling and faxing the company, and emailing with the security team days before news reports were published about the bug. The mother and son also posted about the issue on social media, but Thompson said it was frustrating trying to get Apple’s attention, the report said, and she isn’t sure how knowledge of the bug was made public. Thompson and Apple did not respond to requests for comment about her son’s discovery.

My son just found a major flaw in Apple’s new iOS, that allows you to hear another person in the vicinity of their...

Apple’s system status Web page, which lets users know whether an app or service has a problem, says that “Group FaceTime is temporarily unavailable.” The group video-calling feature was disabled at 10:16 p.m. Monday and remains offline.

Users can disable FaceTime by tapping settings, scrolling down to the FaceTime app and toggling it off.

The security lapse is especially significant because Apple markets itself as a consumer tech company dedicated to privacy and security. The company has also tried to distinguish itself from rival Silicon Valley tech giants by emphasizing its commitment to excellence in hardware, in contrast to business models that rely on widespread data collection.

After the eavesdropping reports, New York Gov. Andrew M. Cuomo (D) issued a consumer alert Monday night, urging consumers to disable FaceTime on their devices.

“The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk,” Cuomo said in the alert. “In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay.”

Jack Dorsey, chief executive of Twitter, also chimed in. He told his more than 4 million followers on the social media platform he runs to “disable FaceTime for now until Apple fixes.”

The discovery of the serious security problem came just a day before the company is scheduled to disclose its quarterly earnings. The timing may be especially trying for investors. Earlier this month, Apple chief executive Tim Cook rattled stockholders and the broader stock market when he announced that company earnings would fall short of estimates, owing to a deep economic slowdown in China. That was the first time the company scaled back its quarterly sales estimates in more than 15 years.

At CES, the annual consumer tech conference this month, Apple touted its commitment to privacy on a giant billboard in Las Vegas. “What happens on your iPhone stays on your iPhone,” said the huge ad, which spanned the height of a multistory building, and was seen as a not-so-subtle dig at Google.

Cook has also called for a national data privacy law, which would regulate how competitors such as Google and Facebook collect information about users. He most recently proposed that the Federal Trade Commission take a more aggressive role in overseeing data brokers, companies that collect and sell people’s information, and allow consumers to track and delete the data about them.

Comments

Hamza ShabanHamza Shaban is a technology reporter for The Washington Post. Previously, he covered tech policy for BuzzFeed. Follow